Detections
Analytics

Ensure folder level default service account is not configured in Google Folder IAM Binding

LOW

Description

Default service account used at folder level for Google Cloud which may lead to unauthorized access.

Remediation

In GCP Console -

  1. Log into the GCP Console and go to IAM.
  2. Under Service Accounts, select the pencil icon next to the entry you wish to edit.
  3. After editing the permissions as needed, select Save.

In Terraform -

  1. In the google_folder_iam_member resource, remove the default service account from the members list.

References:
https://cloud.google.com/resource-manager/docs/access-control-folders
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_folder_iam

Policy Details

Rule Reference ID: AC_GCP_0246
CSP: GCP
Remediation Available: Yes
Domain: Identity and Access Management
Resource: google_folder_iam_binding
Resource Category: Management
Resource Type: Folder

Frameworks